Creates PolicyReports based on the different Trivy Operator CRDs like VulnerabilityReports
License: MIT License
Hi, I'm Frank from Germany, working as a software developer.
I'm a big fan of Cloud Infrastructure and the tooling around them.
I write hands-on articles on my blog CodeYourWorld
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Hello ๐
With the latest version of both the POLR Adapter and Trivy, we are currently getting:
2023/07/27 12:06:53 [ERROR] ClusterInfraAssessmentReport: Failed to process report node-ip-10-4-34-125.eu-central-1.compute.internal; failed to create ClusterPolicyReport: ClusterPolicyReport.wgpolicyk8s.io "trivy-infra-cpolr-node-ip-10-4-34-125.eu-central-1.compute.internal" is invalid: [metadata.ownerReferences.apiVersion: Invalid value: "": version must not be empty, metadata.ownerReferences.kind: Invalid value: "": kind must not be empty]
0.6.00.15.11.27 on AWS EKSapiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterInfraAssessmentReport
metadata:
creationTimestamp: '2023-07-27T12:06:52Z'
generation: 1
labels:
plugin-config-hash: 659b7b9c46
resource-spec-hash: 767485d8b5
trivy-operator.resource.kind: Node
trivy-operator.resource.name: ip-10-4-34-125.eu-central-1.compute.internal
trivy-operator.resource.namespace: ''
managedFields:
- apiVersion: aquasecurity.github.io/v1alpha1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:plugin-config-hash: {}
f:resource-spec-hash: {}
f:trivy-operator.resource.kind: {}
f:trivy-operator.resource.name: {}
f:trivy-operator.resource.namespace: {}
f:ownerReferences:
.: {}
k:{"uid":"0589c43a-b7e8-4416-a28c-2dcbadd49f1d"}: {}
f:report:
.: {}
f:checks: {}
f:scanner:
.: {}
f:name: {}
f:vendor: {}
f:version: {}
f:summary:
.: {}
f:criticalCount: {}
f:highCount: {}
f:lowCount: {}
f:mediumCount: {}
manager: Go-http-client
operation: Update
time: '2023-07-27T12:06:52Z'
name: node-ip-10-4-34-125.eu-central-1.compute.internal
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: false
controller: true
kind: Node
name: ip-10-4-34-125.eu-central-1.compute.internal
uid: 0589c43a-b7e8-4416-a28c-2dcbadd49f1d
resourceVersion: '180364507'
uid: 7d56069b-012e-45a3-9510-6ad315d9c1b1
selfLink: >-
/apis/aquasecurity.github.io/v1alpha1/clusterinfraassessmentreports/node-ip-10-4-34-125.eu-central-1.compute.internal
report:
checks:
- category: Kubernetes Security Check
checkID: KCV0047
description: Do not use self-signed certificates for TLS.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --peer-auto-tls argument is not set to true
- category: Kubernetes Security Check
checkID: KCV0089
description: Setup TLS connection on the Kubelets.
messages:
- Ensure that the --tls-key-file argument are set as appropriate
severity: CRITICAL
success: false
title: Ensure that the --tls-key-file argument are set as appropriate
- category: Kubernetes Security Check
checkID: KCV0135
description: Use individual service account credentials for each controller.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --use-service-account-credentials argument is set to
true
- category: Kubernetes Security Check
checkID: KCV0085
description: Do not disable timeouts on streaming connections.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the --streaming-connection-idle-timeout argument is not set
to 0
- category: Kubernetes Security Check
checkID: KCV0079
description: Disable anonymous requests to the Kubelet server.
messages:
- ''
severity: CRITICAL
success: true
title: Ensure that the --anonymous-auth argument is set to false
- category: Kubernetes Security Check
checkID: KCV0037
description: >-
Allow pods to verify the API server's serving certificate before
establishing connections.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --root-ca-file argument is set as appropriate
- category: Kubernetes Security Check
checkID: KCV0042
description: Configure TLS encryption for the etcd service.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --cert-file and --key-file arguments are set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0001
description: Disable anonymous requests to the API server.
messages:
- ''
severity: MEDIUM
success: true
title: Ensure that the --anonymous-auth argument is set to false
- category: Kubernetes Security Check
checkID: KCV0092
description: >-
Ensure that the Kubelet is configured to only use strong cryptographic
ciphers.
messages:
- Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
severity: CRITICAL
success: false
title: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
- category: Kubernetes Security Check
checkID: KCV0087
description: >-
Security relevant information should be captured. The --event-qps flag
on the Kubelet can be used to limit the rate at which events are
gathered
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the --event-qps argument is set to 0 or a level which
ensures appropriate event capture
- category: Kubernetes Security Check
checkID: KCV0033
description: Activate garbage collector on pod termination, as appropriate.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --terminated-pod-gc-threshold argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0006
description: Verify kubelet's certificate before establishing connection.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --kubelet-certificate-authority argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0019
description: >-
Enable auditing on the Kubernetes API Server and set the desired audit
log path.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --audit-log-path argument is set
- category: Kubernetes Security Check
checkID: KCV0071
description: >-
If kube-proxy is running, and if it is using a file-based kubeconfig
file, ensure that the proxy kubeconfig file has permissions of 600 or
more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
If proxy kubeconfig file exists ensure permissions are set to 600 or
more restrictive
- category: Kubernetes Security Check
checkID: KCV0077
description: >-
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file has permissions of 600 or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
If the kubelet config.yaml configuration file is being used validate
permissions set to 600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0063
description: Ensure that the scheduler config file ownership is set to root:root.
messages:
- ''
severity: HIGH
success: true
title: Ensure that the scheduler config file ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0048
description: >-
Ensure that the API server pod specification file has permissions of 600
or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the API server pod specification file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0069
description: >-
Ensure that the kubelet service file has permissions of 600 or more
restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the kubelet service file permissions are set to 600 or more
restrictive
- category: Kubernetes Security Check
checkID: KCV0065
description: >-
Ensure that the controller-manager config file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the controller-manager config file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0057
description: >-
Ensure that the container network interface file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the container network interface file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0026
description: >-
etcd should be configured to make use of TLS encryption for client
connections.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0007
description: Do not always authorize all requests.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --authorization-mode argument is not set to AlwaysAllow
- category: Kubernetes Security Check
checkID: KCV0036
description: >-
Explicitly set a service account private key file for service accounts
on the controller manager.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --service-account-private-key-file argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0078
description: >-
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file is owned by root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
If the kubelet config.yaml configuration file is being used validate
file ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0052
description: >-
Ensure that the scheduler pod specification file has permissions of 600
or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the scheduler pod specification file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0013
description: >-
The SecurityContextDeny admission controller can be used to deny pods
which make use of some SecurityContext fields which could allow for
privilege escalation in the cluster. This should be used where
PodSecurityPolicy is not in place within the cluster.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the admission control plugin SecurityContextDeny is set if
PodSecurityPolicy is not used
- category: Kubernetes Security Check
checkID: KCV0003
description: >-
This admission controller rejects all net-new usage of the Service field
externalIPs.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --DenyServiceExternalIPs is not set
- category: Kubernetes Security Check
checkID: KCV0014
description: Automate service accounts management.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin ServiceAccount is set
- category: Kubernetes Security Check
checkID: KCV0084
description: Allow Kubelet to manage iptables.
messages:
- ''
severity: HIGH
success: true
title: Ensure that the --make-iptables-util-chains argument is set to true
- category: Kubernetes Security Check
checkID: KCV0067
description: Ensure that the Kubernetes PKI key file permission is set to 600.
messages:
- ''
severity: CRITICAL
success: true
title: Ensure that the Kubernetes PKI key file permission is set to 600
- category: Kubernetes Security Check
checkID: KCV0088
description: Setup TLS connection on the Kubelets.
messages:
- Ensure that the --tls-cert-file argument are set as appropriate
severity: CRITICAL
success: false
title: Ensure that the --tls-cert-file argument are set as appropriate
- category: Kubernetes Security Check
checkID: KCV0011
description: Do not allow all requests.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin AlwaysAdmit is not set
- category: Kubernetes Security Check
checkID: KCV0081
description: Enable Kubelet authentication using certificates.
messages:
- Ensure that the --client-ca-file argument is set as appropriate
severity: CRITICAL
success: false
title: Ensure that the --client-ca-file argument is set as appropriate
- category: Kubernetes Security Check
checkID: KCV0004
description: Use https for kubelet connections.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --kubelet-https argument is set to true
- category: Kubernetes Security Check
checkID: KCV0044
description: Do not use self-signed certificates for TLS.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --auto-tls argument is not set to true
- category: Kubernetes Security Check
checkID: KCV0091
description: Enable kubelet server certificate rotation.
messages:
- Verify that the RotateKubeletServerCertificate argument is set to true
severity: HIGH
success: false
title: Verify that the RotateKubeletServerCertificate argument is set to true
- category: Kubernetes Security Check
checkID: KCV0056
description: >-
Ensure that the container network interface file has permissions of 600
or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the container network interface file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0017
description: Do not disable the secure port.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --secure-port argument is not set to 0
- category: Kubernetes Security Check
checkID: KCV0061
description: Ensure that the admin config file ownership is set to root:root.
messages:
- ''
severity: CRITICAL
success: true
title: Ensure that the admin config file ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0028
description: Setup TLS connection on the API server.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --client-ca-file argument is set as appropriate
- category: Kubernetes Security Check
checkID: KCV0040
description: Disable profiling, if not needed.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --profiling argument is set to false
- category: Kubernetes Security Check
checkID: KCV0002
description: Do not use token based authentication.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --token-auth-file parameter is not set
- category: Kubernetes Security Check
checkID: KCV0054
description: >-
Ensure that the etcd pod specification file has permissions of 600 or
more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the etcd pod specification file permissions are set to 600
or more restrictive
- category: Kubernetes Security Check
checkID: KCV0070
description: Ensure that the kubelet service file ownership is set to root:root.
messages:
- ''
severity: CRITICAL
success: true
title: Ensure that the kubelet service file ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0021
description: Retain 10 or an appropriate number of old log files.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --audit-log-maxbackup argument is set to 10 or as
appropriate
- category: Kubernetes Security Check
checkID: KCV0045
description: >-
etcd should be configured to make use of TLS encryption for peer
connections.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --peer-cert-file and --peer-key-file arguments are set
as appropriate
- category: Kubernetes Security Check
checkID: KCV0015
description: Reject creating objects in a namespace that is undergoing termination.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin NamespaceLifecycle is set
- category: Kubernetes Security Check
checkID: KCV0075
description: >-
Ensure that the certificate authorities file has permissions of 600 or
more restrictive.
messages:
- ''
severity: CRITICAL
success: true
title: >-
Ensure that the certificate authorities file permissions are set to 600
or more restrictive
- category: Kubernetes Security Check
checkID: KCV0080
description: Do not allow all requests. Enable explicit authorization.
messages:
- >-
Ensure that the --authorization-mode argument is not set to
AlwaysAllow
severity: HIGH
success: false
title: Ensure that the --authorization-mode argument is not set to AlwaysAllow
- category: Kubernetes Security Check
checkID: KCV0055
description: >-
Ensure that the etcd pod specification file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the etcd pod specification file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0068
description: >-
Ensure that the Kubernetes PKI certificate file permission is set to
600.
messages:
- ''
severity: HIGH
success: true
title: Ensure that the Kubernetes PKI certificate file permission is set to 600
- category: Kubernetes Security Check
checkID: KCV0038
description: Enable kubelet server certificate rotation on controller-manager.
messages:
- ''
severity: LOW
success: true
title: Ensure that the RotateKubeletServerCertificate argument is set to true
- category: Kubernetes Security Check
checkID: KCV0043
description: Enable client authentication on etcd service.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --client-cert-auth argument is set to true
- category: Kubernetes Security Check
checkID: KCV0029
description: >-
etcd should be configured to make use of TLS encryption for client
connections.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --etcd-cafile argument is set as appropriate
- category: Kubernetes Security Check
checkID: KCV0066
description: >-
Ensure that the Kubernetes PKI directory and file file ownership is set
to root:root.
messages:
- ''
severity: CRITICAL
success: true
title: >-
Ensure that the Kubernetes PKI directory and file file ownership is set
to root:root
- category: Kubernetes Security Check
checkID: KCV0046
description: etcd should be configured for peer authentication.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --peer-client-cert-auth argument is set to true
- category: Kubernetes Security Check
checkID: KCV0008
description: Restrict kubelet nodes to reading only objects associated with them.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --authorization-mode argument includes Node
- category: Kubernetes Security Check
checkID: KCV0025
description: >-
Explicitly set a service account public key file for service accounts on
the apiserver.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --service-account-key-file argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0027
description: Setup TLS connection on the API server.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --tls-cert-file and --tls-private-key-file arguments are
set as appropriate
- category: Kubernetes Security Check
checkID: KCV0009
description: Turn on Role Based Access Control.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --authorization-mode argument includes RBAC
- category: Kubernetes Security Check
checkID: KCV0022
description: Rotate log files on reaching 100 MB or as appropriate.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --audit-log-maxsize argument is set to 100 or as
appropriate
- category: Kubernetes Security Check
checkID: KCV0020
description: Retain the logs for at least 30 days or as appropriate.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --audit-log-maxage argument is set to 30 or as
appropriate
- category: Kubernetes Security Check
checkID: KCV0083
description: >-
Protect tuned kernel parameters from overriding kubelet default kernel
parameter values.
messages:
- Ensure that the --protect-kernel-defaults is set to true
severity: HIGH
success: false
title: Ensure that the --protect-kernel-defaults is set to true
- category: Kubernetes Security Check
checkID: KCV0074
description: Ensure that the kubelet.conf file ownership is set to root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the --kubeconfig kubelet.conf file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0082
description: Disable the read-only port.
messages:
- ''
severity: HIGH
success: true
title: Verify that the --read-only-port argument is set to 0
- category: Kubernetes Security Check
checkID: KCV0049
description: >-
Ensure that the API server pod specification file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the API server pod specification file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0064
description: >-
Ensure that the controller-manager config file has permissions of 600 or
more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the controller-manager config file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0016
description: Limit the Node and Pod objects that a kubelet could modify.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin NodeRestriction is set
- category: Kubernetes Security Check
checkID: KCV0062
description: >-
Ensure that the scheduler config file has permissions of 600 or more
restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the scheduler config file permissions are set to 600 or more
restrictive
- category: Kubernetes Security Check
checkID: KCV0018
description: Disable profiling, if not needed.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --profiling argument is set to false
- category: Kubernetes Security Check
checkID: KCV0060
description: >-
Ensure that the admin config file has permissions of 600 or more
restrictive.
messages:
- ''
severity: CRITICAL
success: true
title: >-
Ensure that the admin config file permissions are set to 600 or more
restrictive
- category: Kubernetes Security Check
checkID: KCV0073
description: >-
Ensure that the kubelet.conf file has permissions of 600 or more
restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the --kubeconfig kubelet.conf file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0051
description: >-
Ensure that the controller manager pod specification file ownership is
set to root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the controller manager pod specification file ownership is
set to root:root
- category: Kubernetes Security Check
checkID: KCV0059
description: Ensure that the etcd data directory ownership is set to etcd:etcd.
messages:
- ''
severity: LOW
success: true
title: Ensure that the etcd data directory ownership is set to etcd:etcd
- category: Kubernetes Security Check
checkID: KCV0050
description: >-
Ensure that the controller manager pod specification file has
permissions of 600 or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the controller manager pod specification file permissions
are set to 600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0072
description: >-
If kube-proxy is running, ensure that the file ownership of its
kubeconfig file is set to root:root.
messages:
- ''
severity: HIGH
success: true
title: if proxy kubeconfig file exists ensure ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0039
description: Do not bind the scheduler service to non-loopback insecure addresses.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --bind-address argument is set to 127.0.0.1
- category: Kubernetes Security Check
checkID: KCV0024
description: Validate service account before validating token.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --service-account-lookup argument is set to true
- category: Kubernetes Security Check
checkID: KCV0010
description: Limit the rate at which the API server accepts requests.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin EventRateLimit is set
- category: Kubernetes Security Check
checkID: KCV0086
description: Do not override node hostnames.
messages:
- Ensure that the --hostname-override argument is not set
severity: HIGH
success: false
title: Ensure that the --hostname-override argument is not set
- category: Kubernetes Security Check
checkID: KCV0030
description: Encrypt etcd key-value store.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --encryption-provider-config argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0058
description: >-
Ensure that the etcd data directory has permissions of 700 or more
restrictive.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the etcd data directory permissions are set to 700 or more
restrictive
- category: Kubernetes Security Check
checkID: KCV0090
description: Enable kubelet client certificate rotation.
messages:
- Ensure that the --rotate-certificates argument is not set to false
severity: HIGH
success: false
title: Ensure that the --rotate-certificates argument is not set to false
- category: Kubernetes Security Check
checkID: KCV0053
description: >-
Ensure that the scheduler pod specification file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the scheduler pod specification file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0076
description: >-
Ensure that the certificate authorities file ownership is set to
root:root.
messages:
- ''
severity: CRITICAL
success: true
title: >-
Ensure that the client certificate authorities file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0034
description: Disable profiling, if not needed.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --profiling argument is set to false
- category: Kubernetes Security Check
checkID: KCV0041
description: Do not bind the scheduler service to non-loopback insecure addresses.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --bind-address argument is set to 127.0.0.1
- category: Kubernetes Security Check
checkID: KCV0005
description: Enable certificate based kubelet authentication.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --kubelet-client-certificate and --kubelet-client-key
arguments are set as appropriate
scanner:
name: Trivy
vendor: Aqua Security
version: 0.15.0
summary:
criticalCount: 4
highCount: 5
lowCount: 0
mediumCount: 0Just wanted to thank you fellaz for that amazing initiative!
We are definitely going to have a look at that. Are there any plans to sync the releases with the Trivy Releases? .. We are currently evaluating the Trivy Operator 0.7.1
Hi,
I don't have enabled the compliance in trivy operator
[INFO] ConfigAuditReports enabled
[INFO] VulnerabilityReports enabled
[INFO] RbacAssessmentReports enabled
[INFO] ExposedSecretReports enabled
[INFO] CISKubeBenchReports enabled
[INFO] InfraAssessmentReportClient enabled
but the application is crashed
Error: failed to wait for compliance caches to sync: timed out waiting for cache to be synced
Usage:
trivy-operator-polr-adapter run [flags]
Flags:
-c, --config string target configuration file
--enable-compliance Enable the transformation of ClusterComplianceDetailReports into ClusterPolicyReports
--enable-config-audit Enable the transformation of ConfigAuditReports into PolicyReports
--enable-exposed-secrets Enable the transformation of ExposedSecretReports into PolicyReports
--enable-infra-assessment Enable the transformation of InfraAssessmentReports into PolicyReports
--enable-kube-bench Enable the transformation of CISKubeBenchReports into ClusterPolicyReports
--enable-rbac-assessment Enable the transformation of RbacAssessmentReports into PolicyReports
--enable-vulnerability Enable the transformation of VulnerabilityReports into PolicyReports
-h, --help help for run
-k, --kubeconfig string absolute path to the kubeconfig file
failed to wait for compliance caches to sync: timed out waiting for cache to be synced
Hello @fjogeleit ๐
Seems like the Trivy Operator with recent versions enabled something new scanning the Kubernetes Nodes (with the so-called Node Scanner) and producing a ClusterInfraAssessmentReport.
I noticed that this type isn't converted by the adapter to a ClusterPolicy.
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterInfraAssessmentReport
metadata:
creationTimestamp: '2023-03-17T09:45:18Z'
generation: 1
labels:
plugin-config-hash: 659b7b9c46
resource-spec-hash: 54fcfbd8c7
trivy-operator.resource.kind: Node
trivy-operator.resource.name: ip-10-3-16-19.eu-central-1.compute.internal
trivy-operator.resource.namespace: ''
managedFields:
- apiVersion: aquasecurity.github.io/v1alpha1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:plugin-config-hash: {}
f:resource-spec-hash: {}
f:trivy-operator.resource.kind: {}
f:trivy-operator.resource.name: {}
f:trivy-operator.resource.namespace: {}
f:ownerReferences:
.: {}
k:{"uid":"1cbb23e1-e749-490d-be02-ccb94e015e9f"}: {}
f:report:
.: {}
f:checks: {}
f:scanner:
.: {}
f:name: {}
f:vendor: {}
f:version: {}
f:summary:
.: {}
f:criticalCount: {}
f:highCount: {}
f:lowCount: {}
f:mediumCount: {}
manager: trivy-operator
operation: Update
time: '2023-03-17T09:45:18Z'
name: node-ip-10-3-16-19.eu-central-1.compute.internal
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: false
controller: true
kind: Node
name: ip-10-3-16-19.eu-central-1.compute.internal
uid: 1cbb23e1-e749-490d-be02-ccb94e015e9f
resourceVersion: '25537871'
uid: c1da64c6-7480-4dea-aa43-562aa2953117
selfLink: >-
/apis/aquasecurity.github.io/v1alpha1/clusterinfraassessmentreports/node-ip-10-3-16-19.eu-central-1.compute.internal
report:
checks:
- category: Kubernetes Security Check
checkID: KCV0027
description: Setup TLS connection on the API server.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --tls-cert-file and --tls-private-key-file arguments are
set as appropriate
- category: Kubernetes Security Check
checkID: KCV0001
description: Disable anonymous requests to the API server.
messages:
- ''
severity: MEDIUM
success: true
title: Ensure that the --anonymous-auth argument is set to false
- category: Kubernetes Security Check
checkID: KCV0083
description: >-
Protect tuned kernel parameters from overriding kubelet default kernel
parameter values.
messages:
- Ensure that the --protect-kernel-defaults is set to true
severity: HIGH
success: false
title: Ensure that the --protect-kernel-defaults is set to true
- category: Kubernetes Security Check
checkID: KCV0071
description: >-
If kube-proxy is running, and if it is using a file-based kubeconfig
file, ensure that the proxy kubeconfig file has permissions of 600 or
more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
If proxy kubeconfig file exists ensure permissions are set to 600 or
more restrictive
- category: Kubernetes Security Check
checkID: KCV0072
description: >-
If kube-proxy is running, ensure that the file ownership of its
kubeconfig file is set to root:root.
messages:
- ''
severity: HIGH
success: true
title: if proxy kubeconfig file exists ensure ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0063
description: Ensure that the scheduler config file ownership is set to root:root.
messages:
- ''
severity: HIGH
success: true
title: Ensure that the scheduler config file ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0034
description: Disable profiling, if not needed.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --profiling argument is set to false
- category: Kubernetes Security Check
checkID: KCV0016
description: Limit the Node and Pod objects that a kubelet could modify.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin NodeRestriction is set
- category: Kubernetes Security Check
checkID: KCV0046
description: etcd should be configured for peer authentication.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --peer-client-cert-auth argument is set to true
- category: Kubernetes Security Check
checkID: KCV0070
description: Ensure that the kubelet service file ownership is set to root:root.
messages:
- ''
severity: CRITICAL
success: true
title: Ensure that the kubelet service file ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0087
description: >-
Security relevant information should be captured. The --event-qps flag
on the Kubelet can be used to limit the rate at which events are
gathered
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the --event-qps argument is set to 0 or a level which
ensures appropriate event capture
- category: Kubernetes Security Check
checkID: KCV0004
description: Use https for kubelet connections.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --kubelet-https argument is set to true
- category: Kubernetes Security Check
checkID: KCV0048
description: >-
Ensure that the API server pod specification file has permissions of 600
or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the API server pod specification file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0015
description: Reject creating objects in a namespace that is undergoing termination.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin NamespaceLifecycle is set
- category: Kubernetes Security Check
checkID: KCV0017
description: Do not disable the secure port.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --secure-port argument is not set to 0
- category: Kubernetes Security Check
checkID: KCV0086
description: Do not override node hostnames.
messages:
- ''
severity: HIGH
success: true
title: Ensure that the --hostname-override argument is not set
- category: Kubernetes Security Check
checkID: KCV0028
description: Setup TLS connection on the API server.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --client-ca-file argument is set as appropriate
- category: Kubernetes Security Check
checkID: KCV0092
description: >-
Ensure that the Kubelet is configured to only use strong cryptographic
ciphers.
messages:
- Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
severity: CRITICAL
success: false
title: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
- category: Kubernetes Security Check
checkID: KCV0049
description: >-
Ensure that the API server pod specification file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the API server pod specification file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0042
description: Configure TLS encryption for the etcd service.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --cert-file and --key-file arguments are set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0002
description: Do not use token based authentication.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --token-auth-file parameter is not set
- category: Kubernetes Security Check
checkID: KCV0021
description: Retain 10 or an appropriate number of old log files.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --audit-log-maxbackup argument is set to 10 or as
appropriate
- category: Kubernetes Security Check
checkID: KCV0085
description: Do not disable timeouts on streaming connections.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the --streaming-connection-idle-timeout argument is not set
to 0
- category: Kubernetes Security Check
checkID: KCV0024
description: Validate service account before validating token.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --service-account-lookup argument is set to true
- category: Kubernetes Security Check
checkID: KCV0062
description: >-
Ensure that the scheduler config file has permissions of 600 or more
restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the scheduler config file permissions are set to 600 or more
restrictive
- category: Kubernetes Security Check
checkID: KCV0084
description: Allow Kubelet to manage iptables.
messages:
- ''
severity: HIGH
success: true
title: Ensure that the --make-iptables-util-chains argument is set to true
- category: Kubernetes Security Check
checkID: KCV0090
description: Enable kubelet client certificate rotation.
messages:
- Ensure that the --rotate-certificates argument is not set to false
severity: HIGH
success: false
title: Ensure that the --rotate-certificates argument is not set to false
- category: Kubernetes Security Check
checkID: KCV0050
description: >-
Ensure that the controller manager pod specification file has
permissions of 600 or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the controller manager pod specification file permissions
are set to 600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0006
description: Verify kubelet's certificate before establishing connection.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --kubelet-certificate-authority argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0029
description: >-
etcd should be configured to make use of TLS encryption for client
connections.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --etcd-cafile argument is set as appropriate
- category: Kubernetes Security Check
checkID: KCV0040
description: Disable profiling, if not needed.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --profiling argument is set to false
- category: Kubernetes Security Check
checkID: KCV0018
description: Disable profiling, if not needed.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --profiling argument is set to false
- category: Kubernetes Security Check
checkID: KCV0060
description: >-
Ensure that the admin config file has permissions of 600 or more
restrictive.
messages:
- ''
severity: CRITICAL
success: true
title: >-
Ensure that the admin config file permissions are set to 600 or more
restrictive
- category: Kubernetes Security Check
checkID: KCV0011
description: Do not allow all requests.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin AlwaysAdmit is not set
- category: Kubernetes Security Check
checkID: KCV0068
description: >-
Ensure that the Kubernetes PKI certificate file permission is set to
600.
messages:
- ''
severity: HIGH
success: true
title: Ensure that the Kubernetes PKI certificate file permission is set to 600
- category: Kubernetes Security Check
checkID: KCV0045
description: >-
etcd should be configured to make use of TLS encryption for peer
connections.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --peer-cert-file and --peer-key-file arguments are set
as appropriate
- category: Kubernetes Security Check
checkID: KCV0030
description: Encrypt etcd key-value store.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --encryption-provider-config argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0079
description: Disable anonymous requests to the Kubelet server.
messages:
- Ensure that the --anonymous-auth argument is set to false
severity: CRITICAL
success: false
title: Ensure that the --anonymous-auth argument is set to false
- category: Kubernetes Security Check
checkID: KCV0058
description: >-
Ensure that the etcd data directory has permissions of 700 or more
restrictive.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the etcd data directory permissions are set to 700 or more
restrictive
- category: Kubernetes Security Check
checkID: KCV0088
description: Setup TLS connection on the Kubelets.
messages:
- Ensure that the --tls-cert-file argument are set as appropriate
severity: CRITICAL
success: false
title: Ensure that the --tls-cert-file argument are set as appropriate
- category: Kubernetes Security Check
checkID: KCV0055
description: >-
Ensure that the etcd pod specification file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the etcd pod specification file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0091
description: Enable kubelet server certificate rotation.
messages:
- Verify that the RotateKubeletServerCertificate argument is set to true
severity: HIGH
success: false
title: Verify that the RotateKubeletServerCertificate argument is set to true
- category: Kubernetes Security Check
checkID: KCV0065
description: >-
Ensure that the controller-manager config file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the controller-manager config file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0037
description: >-
Allow pods to verify the API server's serving certificate before
establishing connections.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --root-ca-file argument is set as appropriate
- category: Kubernetes Security Check
checkID: KCV0064
description: >-
Ensure that the controller-manager config file has permissions of 600 or
more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the controller-manager config file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0051
description: >-
Ensure that the controller manager pod specification file ownership is
set to root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the controller manager pod specification file ownership is
set to root:root
- category: Kubernetes Security Check
checkID: KCV0080
description: Do not allow all requests. Enable explicit authorization.
messages:
- >-
Ensure that the --authorization-mode argument is not set to
AlwaysAllow
severity: HIGH
success: false
title: Ensure that the --authorization-mode argument is not set to AlwaysAllow
- category: Kubernetes Security Check
checkID: KCV0007
description: Do not always authorize all requests.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --authorization-mode argument is not set to AlwaysAllow
- category: Kubernetes Security Check
checkID: KCV0019
description: >-
Enable auditing on the Kubernetes API Server and set the desired audit
log path.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --audit-log-path argument is set
- category: Kubernetes Security Check
checkID: KCV0053
description: >-
Ensure that the scheduler pod specification file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the scheduler pod specification file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0013
description: >-
The SecurityContextDeny admission controller can be used to deny pods
which make use of some SecurityContext fields which could allow for
privilege escalation in the cluster. This should be used where
PodSecurityPolicy is not in place within the cluster.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the admission control plugin SecurityContextDeny is set if
PodSecurityPolicy is not used
- category: Kubernetes Security Check
checkID: KCV0074
description: Ensure that the kubelet.conf file ownership is set to root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the --kubeconfig kubelet.conf file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0010
description: Limit the rate at which the API server accepts requests.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin EventRateLimit is set
- category: Kubernetes Security Check
checkID: KCV0056
description: >-
Ensure that the container network interface file has permissions of 600
or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the container network interface file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0009
description: Turn on Role Based Access Control.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --authorization-mode argument includes RBAC
- category: Kubernetes Security Check
checkID: KCV0135
description: Use individual service account credentials for each controller.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --use-service-account-credentials argument is set to
true
- category: Kubernetes Security Check
checkID: KCV0026
description: >-
etcd should be configured to make use of TLS encryption for client
connections.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0014
description: Automate service accounts management.
messages:
- ''
severity: LOW
success: true
title: Ensure that the admission control plugin ServiceAccount is set
- category: Kubernetes Security Check
checkID: KCV0067
description: Ensure that the Kubernetes PKI key file permission is set to 600.
messages:
- ''
severity: CRITICAL
success: true
title: Ensure that the Kubernetes PKI key file permission is set to 600
- category: Kubernetes Security Check
checkID: KCV0008
description: Restrict kubelet nodes to reading only objects associated with them.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --authorization-mode argument includes Node
- category: Kubernetes Security Check
checkID: KCV0025
description: >-
Explicitly set a service account public key file for service accounts on
the apiserver.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --service-account-key-file argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0059
description: Ensure that the etcd data directory ownership is set to etcd:etcd.
messages:
- ''
severity: LOW
success: true
title: Ensure that the etcd data directory ownership is set to etcd:etcd
- category: Kubernetes Security Check
checkID: KCV0005
description: Enable certificate based kubelet authentication.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --kubelet-client-certificate and --kubelet-client-key
arguments are set as appropriate
- category: Kubernetes Security Check
checkID: KCV0069
description: >-
Ensure that the kubelet service file has permissions of 600 or more
restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the kubelet service file permissions are set to 600 or more
restrictive
- category: Kubernetes Security Check
checkID: KCV0038
description: Enable kubelet server certificate rotation on controller-manager.
messages:
- ''
severity: LOW
success: true
title: Ensure that the RotateKubeletServerCertificate argument is set to true
- category: Kubernetes Security Check
checkID: KCV0036
description: >-
Explicitly set a service account private key file for service accounts
on the controller manager.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --service-account-private-key-file argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0078
description: >-
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file is owned by root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
If the kubelet config.yaml configuration file is being used validate
file ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0061
description: Ensure that the admin config file ownership is set to root:root.
messages:
- ''
severity: CRITICAL
success: true
title: Ensure that the admin config file ownership is set to root:root
- category: Kubernetes Security Check
checkID: KCV0047
description: Do not use self-signed certificates for TLS.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --peer-auto-tls argument is not set to true
- category: Kubernetes Security Check
checkID: KCV0033
description: Activate garbage collector on pod termination, as appropriate.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --terminated-pod-gc-threshold argument is set as
appropriate
- category: Kubernetes Security Check
checkID: KCV0057
description: >-
Ensure that the container network interface file ownership is set to
root:root.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the container network interface file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0077
description: >-
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file has permissions of 600 or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
If the kubelet config.yaml configuration file is being used validate
permissions set to 600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0089
description: Setup TLS connection on the Kubelets.
messages:
- Ensure that the --tls-key-file argument are set as appropriate
severity: CRITICAL
success: false
title: Ensure that the --tls-key-file argument are set as appropriate
- category: Kubernetes Security Check
checkID: KCV0020
description: Retain the logs for at least 30 days or as appropriate.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --audit-log-maxage argument is set to 30 or as
appropriate
- category: Kubernetes Security Check
checkID: KCV0041
description: Do not bind the scheduler service to non-loopback insecure addresses.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --bind-address argument is set to 127.0.0.1
- category: Kubernetes Security Check
checkID: KCV0043
description: Enable client authentication on etcd service.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --client-cert-auth argument is set to true
- category: Kubernetes Security Check
checkID: KCV0039
description: Do not bind the scheduler service to non-loopback insecure addresses.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --bind-address argument is set to 127.0.0.1
- category: Kubernetes Security Check
checkID: KCV0075
description: >-
Ensure that the certificate authorities file has permissions of 600 or
more restrictive.
messages:
- ''
severity: CRITICAL
success: true
title: >-
Ensure that the certificate authorities file permissions are set to 600
or more restrictive
- category: Kubernetes Security Check
checkID: KCV0022
description: Rotate log files on reaching 100 MB or as appropriate.
messages:
- ''
severity: LOW
success: true
title: >-
Ensure that the --audit-log-maxsize argument is set to 100 or as
appropriate
- category: Kubernetes Security Check
checkID: KCV0052
description: >-
Ensure that the scheduler pod specification file has permissions of 600
or more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the scheduler pod specification file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0081
description: Enable Kubelet authentication using certificates.
messages:
- Ensure that the --client-ca-file argument is set as appropriate
severity: CRITICAL
success: false
title: Ensure that the --client-ca-file argument is set as appropriate
- category: Kubernetes Security Check
checkID: KCV0066
description: >-
Ensure that the Kubernetes PKI directory and file file ownership is set
to root:root.
messages:
- ''
severity: CRITICAL
success: true
title: >-
Ensure that the Kubernetes PKI directory and file file ownership is set
to root:root
- category: Kubernetes Security Check
checkID: KCV0073
description: >-
Ensure that the kubelet.conf file has permissions of 600 or more
restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the --kubeconfig kubelet.conf file permissions are set to
600 or more restrictive
- category: Kubernetes Security Check
checkID: KCV0044
description: Do not use self-signed certificates for TLS.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --auto-tls argument is not set to true
- category: Kubernetes Security Check
checkID: KCV0054
description: >-
Ensure that the etcd pod specification file has permissions of 600 or
more restrictive.
messages:
- ''
severity: HIGH
success: true
title: >-
Ensure that the etcd pod specification file permissions are set to 600
or more restrictive
- category: Kubernetes Security Check
checkID: KCV0003
description: >-
This admission controller rejects all net-new usage of the Service field
externalIPs.
messages:
- ''
severity: LOW
success: true
title: Ensure that the --DenyServiceExternalIPs is not set
- category: Kubernetes Security Check
checkID: KCV0076
description: >-
Ensure that the certificate authorities file ownership is set to
root:root.
messages:
- ''
severity: CRITICAL
success: true
title: >-
Ensure that the client certificate authorities file ownership is set to
root:root
- category: Kubernetes Security Check
checkID: KCV0082
description: Disable the read-only port.
messages:
- Verify that the --read-only-port argument is set to 0
severity: HIGH
success: false
title: Verify that the --read-only-port argument is set to 0
scanner:
name: Trivy
vendor: Aqua Security
version: 0.12.1
summary:
criticalCount: 5
highCount: 5
lowCount: 0
mediumCount: 0Hi,
I'm using trivy-operator version 0.8.0 and i got the issues
client.go:27: [ERROR] VulnerabilityReport: Failed to process report daemonset-cilium-clean-cilium-state; failed to create PolicyReport in namespace kube-system: PolicyReport.wgpolicyk8s.io "trivy-vuln-polr-daemonset-cilium" is invalid: results[1].severity: Unsupported value: "critical": supported values: "high", "low", "medium"
client.go:27: [ERROR] ClusterRbacAssessmentReport: Failed to process report clusterrole-trivy-operator; failed to create ClusterPolicyReport clusterrole-trivy-operator: ClusterPolicyReport.wgpolicyk8s.io "trivy-rbac-cpolr-clusterrole-trivy-operator" is invalid: results[0].severity: Unsupported value: "critical": supported values: "high", "low", "medium"
Hi,
It would be nice if readme has a table with supported version of trivy-operator and which kyverno or CRD version must be.
It helps to upgrade components in right way and answer stupid questions :)
For example, if trivy-operator published new api version the trivy-adapter would not work anymore
I installed the trivy-adapter but first without additional flags. Later i wanted to see all the report in the policy reporter but if i do:
helm upgrade trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter -n trivy-adapter --set adapters.vulnerabilityReports.enabled=true,adapters.configAuditReports.enabled=true,adapters.rbacAssessmentReports.enabled=true,adapters.exposedSecretReports.enabled=true,adapters.complianceReports.enabled=true,adapters.infraAssessmentReports.enabled=true,adapters.clusterInfraAssessmentReports.enabled=true,adapters.cisKubeBenchReports.enabled=true . I dont see the the report in the UI:
Hi @fjogeleit using the operator / chart v0.2.0, I get the error below despite using the latest Trivy version (then the Pod kinda keeps restarting indefinitely):
[INFO] VulnerabilityReports enabled
[INFO] ComplianceReports enabled
[INFO] RbacAssessmentReports enabled
[INFO] ExposedSecretReports enabled
Error: failed to wait for compliance caches to sync: timed out waiting for cache to be synced
Usage:
trivy-operator-polr-adapter run [flags]
Flags:
-c, --config string target configuration file
--enable-compliance Enable the transformation of ClusterComplianceDetailReport into ClusterPolicyReports
--enable-config-audit Enable the transformation of ConfigAuditReports into PolicyReports
--enable-exposed-secrets Enable the transformation of ExposedSecretReport into PolicyReports
--enable-kube-bench Enable the transformation of CISKubeBenchReports into ClusterPolicyReports
--enable-rbac-assessment Enable the transformation of RbacAssessmentReport into PolicyReports
--enable-vulnerability Enable the transformation of VulnerabilityReports into PolicyReports
-h, --help help for run
-k, --kubeconfig string absolute path to the kubeconfig file
failed to wait for compliance caches to sync: timed out waiting for cache to be synced
Could that be something that you fixed in v0.2.1? .. also that chart version doesn't seem to be published ๐ข
Thoughts/ideas on supporting SbomReport?
I.e:
apiVersion: aquasecurity.github.io/v1alpha1
kind: SbomReport
An instance of the SbomReport represents the latest sbom (software bill of metarials) found in a container image of a given Kubernetes workload. It consists of a list of OS package and application bil of metarial with a summary of components and dependencies.
See:
Hi,
i just installed the latest trivy-operator trivy-operator-polr-adapter helm charts.
It seems that the Critical Vulnerabilities are shown only as "high" in policy-reporter
For example: CVE-2022-32207
is in trivy Operator CRITICAL but in policy reporter only "high"
if i can add further information, just send what you need.
Versions of helm charts:
trivy-operator-0.7.1
trivy-0.4.17
trivy-operator-polr-adapter-0.1.4
policy-reporter-2.13.5
Thanks in advance
Dear @fjogeleit and Dear @caruccio,
I am a big admirer of your project, thank you for taking care of the original architectural overlooks in trivy-operator!
I seem to be missing any ClusterComplianceReport's data. Although trivy-operator-polr-adapter is aware of these reports existence, it comes up with zero readings.
kubectl get cpolr trivy-compliance-cpolr-cis trivy-compliance-cpolr-nsa trivy-compliance-cpolr-pss-baseline trivy-compliance-cpolr-pss-restricted
NAME PASS FAIL WARN ERROR SKIP AGE
trivy-compliance-cpolr-cis 0 0 0 0 0 43m
trivy-compliance-cpolr-nsa 0 0 0 0 0 43m
trivy-compliance-cpolr-pss-baseline 0 0 0 0 0 43m
trivy-compliance-cpolr-pss-restricted 0 0 0 0 0 43m
Trivy own view appears to be more meaningful.
kubectl get clustercompliancereports cis -oyaml|grep -E 'HIGH|MEDIUM|CRITICAL|LOW|INFO'|sort|uniq -c
19 severity: CRITICAL
50 severity: HIGH
23 severity: LOW
24 severity: MEDIUM
kubectl get clustercompliancereports nsa -oyaml|grep -E 'HIGH|MEDIUM|CRITICAL|LOW|INFO'|sort|uniq -c
8 severity: CRITICAL
5 severity: HIGH
3 severity: LOW
11 severity: MEDIUM
kubectl get clustercompliancereports pss-baseline -oyaml|grep -E 'HIGH|MEDIUM|CRITICAL|LOW|INFO'|sort|uniq -c
5 severity: HIGH
6 severity: MEDIUM
kubectl get clustercompliancereports pss-restricted -oyaml|grep -E 'HIGH|MEDIUM|CRITICAL|LOW|INFO'|sort|uniq -c
5 severity: HIGH
4 severity: LOW
8 severity: MEDIUM
I appreciate this isn't a support forum, but what direction shall I be digging in, please? Have I missed anything?
Or could it be that ClusterComplianceReport is somewhat unintended use of trivy-operator? My final destination is to combine multi-cluster data into Grafana Loki. This could be, of course, a duplicate effort of what armo/kubescape is doing for report aggregation. Reporting is a paid feature though.
Best regards,
Wang Wei
trivy-operator configuration
helm install trivy-operator aqua/trivy-operator
--namespace trivy-system
--create-namespace
--version 0.13.0
--set='trivy.ignoreUnfixed=true'
--set='trivy.command=filesystem'
--set='trivyOperator.scanJobPodTemplateContainerSecurityContext.runAsUser=0'
trivy-operator-polr-adapter configuration (no policy-reporter is present on the cluster)
helm install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter
-ntrivy-adapter --create-namespace
--set='crds.install=true'
--set='adapters.complianceReports.enabled=true'
--set='adapters.rbacAssessmentReports.enabled=true'
--set='adapters.exposedSecretReports.enabled=true'
--set='adapters.infraAssessmentReports.enabled=true'
--set='adapters.clusterInfraAssessmentReports.enabled=true'
Hi,
Could you add a functionality to configure RPS to kube-api?
I1228 13:41:01.589679 1 request.go:682] Waited for 1.000340418s due to client-side throttling, not priority and fairness, request: PUT:https://10.11.0.1:443/apis/wgpolicyk8s.io/v1alpha2/namespaces/monitoring/policyreports/trivy-audit-polr-replicaset-trivy-operator-adapter-5b849f8bc6
It would be nice if this options or improve request to kube api
Currently we configured the Trivy CRDs to respect the labels owner and app set on the resources to scan. This enables us to be able to filter e.g. by vulnerabilities belonging to a certain team or a certain application (at least from a Grafana perspective).
Maybe it would be a good idea to allow the adapter to also respect some of those labels and add them on the ClusterPolicyReport and PolicyReport objects it creates?
currently README has no instructions regarding helm chart installation. I see two months back only helm chart has been added into folder but hasn't been published yet.
We are currently thinking adopting this to complete our internal k8s security to make sure everything under one umbrella. we already use Kyverno and policy-reports.
The new version is supporting the InfraAssessmentReport but rbac doesn't have permission to list resource
infraassessmentreports in the list
NAME SHORTNAMES APIVERSION NAMESPACED KIND
infraassessmentreports infraassessment,infraassessments aquasecurity.github.io/v1alpha1 true InfraAssessmentReport
Thanks
Hey, I don't quite understand how the result (pass, skip, warn, error, or fail) is mapped from Vulnerability- & ConfigAudit-Reports.
Based on my observations, I guess that for VulnerabilityReports, if a CVE has a critical/high score, the result is fail. For low to medium scores it's warn.
And for ConfigAuditReport it's always fail if a resource doesn't pass the evaluation.
Is my understanding correct? Otherwise I would be very happy if someone could provide a brief explanation :)
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.